AI Governance Frameworks Compared: EU AI Act, ISO 42001, NIST

Three frameworks now define the practical landscape of AI governance for organisations operating in 2026. The EU AI Act, the first binding legal framework for artificial intelligence globally, creates mandatory obligations for organisations that develop or deploy AI systems in EU markets. ISO 42001:2022, the international management system standard for artificial intelligence, provides the operational structure for implementing AI governance and is the most direct route to certification. The NIST AI Risk Management Framework (AI RMF), published by the US National Institute of Standards and Technology, is a voluntary framework that has become widely referenced outside the United States as a structured approach to AI risk. This guide documents what each framework requires, who it applies to, and how they interact — so that AI governance leads can determine which apply to their organisation and how to address them without duplicating effort.

Organisations building or deploying AI systems in 2026 face a fragmented governance landscape. Dozens of AI ethics guidelines, national strategies, and sector-specific guidance documents exist — but three frameworks have emerged as the primary reference points for structured, auditable AI governance.

The EU AI Act entered into force on 1 August 2024, with its prohibited practice provisions applying from 2 February 2025 and high-risk AI system obligations applying from 2 August 2026. It is the only binding legal framework in this group, which means non-compliance carries regulatory and financial consequences for organisations with EU market exposure.

ISO 42001:2022, published by the International Organization for Standardization in November 2023, fills the implementation gap. Where the EU AI Act specifies what outcomes are required, ISO 42001 provides the management system architecture to achieve them — risk assessment processes, impact evaluation procedures, documentation requirements, and supplier controls. It is the de facto certification standard for AI governance and is already being referenced in procurement and supply chain requirements.

The NIST AI RMF, published by the United States National Institute of Standards and Technology in January 2023, is technically a US-domestic framework aimed at federal agencies and their contractors. In practice, it is widely referenced by UK and EU organisations — particularly in financial services and critical infrastructure — as a structured vocabulary and methodology for AI risk management. Its four-function structure (Govern, Map, Measure, Manage) has become common shorthand in governance documentation even outside the US.

The EU AI Act is a risk-based regulation that classifies AI systems into four tiers and imposes requirements proportionate to the level of risk each tier presents.

Who Is In Scope

Scope is defined by market exposure rather than organisational location. Providers of AI systems — organisations that develop and place AI systems on the EU market — face the most significant obligations. Deployers — organisations that operate AI systems developed by others in a professional context — face a distinct but overlapping set of requirements. An organisation can be both provider and deployer simultaneously. Geographic location outside the EU does not exclude an organisation if its AI system's output is used within the EU.

The Risk Tier Structure

The Act establishes four risk categories:

1. Unacceptable risk: Prohibited outright. Includes AI systems for social scoring by public authorities, real-time biometric surveillance in public spaces (with narrow exceptions), and AI systems that exploit vulnerabilities of specific groups. These prohibitions applied from 2 February 2025.
2. High risk: Subject to the most substantive obligations. Includes AI used in critical infrastructure, education and vocational training, employment and worker management, access to essential private and public services, law enforcement, migration and border control, and administration of justice. High-risk obligations apply from 2 August 2026 for most systems; some AI systems already regulated under existing EU product safety legislation had obligations from 2 August 2024.
3. Limited risk: Subject to transparency obligations. AI systems that interact with humans — chatbots, for example — must be identifiable as AI. Deepfakes and AI-generated content must be labelled.
4. Minimal risk: No mandatory requirements under the Act. Spam filters and AI-assisted games fall into this category.

High-Risk AI: Key Obligations

For high-risk AI systems, the EU AI Act imposes obligations across several domains before market placement and throughout the system lifecycle:

1. Risk management system (Article 9): A documented, iterative process for identifying and managing risks throughout the AI system lifecycle.
2. Data and data governance (Article 10): Training, validation and testing data must be relevant, sufficiently representative, and free of known errors. Data governance practices must be documented.
3. Technical documentation (Article 11 and Annex IV): Comprehensive documentation of system purpose, architecture, training methodology, limitations, and performance metrics.
4. Automatic logging (Article 12): High-risk AI systems must generate logs of their operation to enable traceability.
5. Transparency and provision of information (Article 13): Deployers must receive instructions sufficient to interpret the system's output and operate it appropriately.
6. Human oversight (Article 14): Systems must be designed to allow effective oversight by natural persons, including the ability to halt system operation.
7. Accuracy, robustness and cybersecurity (Article 15): Systems must achieve appropriate levels of accuracy and be resilient against adversarial inputs and known vulnerabilities.
8. Conformity assessment (Article 43): Third-party conformity assessment required for most high-risk AI systems before market placement. Some categories can self-assess against internal quality management systems.
9. Registration (Article 49 and EU database): High-risk AI systems must be registered in the EU-level AI database before being placed on the market.

ISO 42001:2022 is the international standard for artificial intelligence management systems. It follows the same high-level structure (HLS) used by ISO 27001:2022 (for information security management) and ISO 9001 (for quality management), which means organisations already certified to those standards will find the framework architecture familiar.

The critical distinction for organisations navigating the EU AI Act is this: ISO 42001:2022 is not the EU AI Act. Certification to ISO 42001 does not confirm EU AI Act compliance. What ISO 42001 provides is the management system infrastructure — documented processes, governance structures, audit mechanisms, and controls — that makes EU AI Act compliance demonstrable and sustainable.

Scope and Applicability

ISO 42001:2022 applies to any organisation involved in the development, provision, or use of AI systems. Unlike the EU AI Act, it does not depend on geographic market exposure or risk tier classification. Any organisation can choose to certify, and certification is increasingly appearing as a supply chain requirement — particularly in regulated industries where third-party AI suppliers must demonstrate governance maturity.

Structure: Clause Requirements and Annex A Controls

The standard is structured in two parts: mandatory clause requirements (Clauses 4–10) and Annex A controls (which the organisation must evaluate and justify applying or excluding).

The mandatory clauses cover: understanding the organisation and its context (Clause 4); leadership commitment and AI policy (Clause 5); planning, including risk and impact assessment (Clause 6); support structures including resources, competence and documentation (Clause 7); operational processes including AI system lifecycle management (Clause 8); performance evaluation (Clause 9); and continual improvement (Clause 10).

Annex A controls are grouped into eight domains: organisational controls (A.2); policies for AI systems (A.3); internal organisation (A.4); resources for AI systems (A.5); assessing AI systems impacts (A.6); AI system lifecycle management (A.7); third-party and customer relationships (A.8); and AI systems use (A.9).

A key deliverable of ISO 42001 certification is the Statement of Applicability — a documented register of which Annex A controls apply to the organisation's AI activities, which have been implemented, and the justification for any exclusions.

AI Impact Assessment

One of the substantively distinct elements of ISO 42001:2022 compared to prior management system standards is its requirement for AI impact assessment. Clause 6.1.2 and the associated Annex A controls require organisations to assess the potential impacts of their AI systems — including impacts on individuals, groups, and society — before deployment and on an ongoing basis. This goes beyond traditional risk assessment to include societal and ethical dimensions of AI use.

Supplier and Third-Party Controls

Annex A.8 addresses third-party and customer relationships. For organisations that use AI systems developed by third parties — which includes the majority of organisations deploying commercial AI tools — the standard requires that supplier relationships be governed, that AI supplier capabilities and governance practices be assessed, and that contractual controls address AI-specific obligations. This aligns with the EU AI Act's deployer obligations and reflects the supply chain governance expectations increasingly embedded in procurement requirements across regulated industries.

The NIST AI Risk Management Framework, published in January 2023, was developed as a voluntary framework for organisations to identify, assess, prioritise and respond to risks associated with AI. It was designed primarily for US federal agencies and their contractors, but its structured vocabulary and function-based approach have made it a widely referenced reference document internationally.

UK compliance and risk professionals should treat the NIST AI RMF as a methodology supplement rather than a compliance obligation unless their organisation has explicit US federal engagement or has contractually committed to NIST alignment. It does not create regulatory obligations for UK or EU organisations in its own right.

The Four Core Functions

The NIST AI RMF is organised around four functions that describe the desired outcomes of an AI risk management programme:

1. Govern: Establishes organisational processes, accountability structures, and culture for AI risk management. Covers policies, roles and responsibilities, risk tolerance, and oversight mechanisms.
2. Map: Identifies the context, stakeholders, and risks associated with a specific AI system. Includes use case characterisation, impact analysis, and risk prioritisation.
3. Measure: Analyses and assesses AI risks using qualitative and quantitative methods. Includes testing, evaluation, and ongoing monitoring of AI system performance and behaviour.
4. Manage: Implements risk response activities, including mitigation, avoidance, transfer, and acceptance. Covers incident response and recovery planning for AI-related risks.

Profiles and Tiers

The NIST AI RMF also introduces the concept of Profiles — customised implementations of the framework for specific sectors, use cases, or risk contexts — and Tiers, which represent levels of rigour in AI risk management practice. The Framework does not specify which Tier an organisation must achieve; it is a calibration tool rather than a certification standard.

NIST has published Playbooks that provide more specific implementation guidance for the Govern and Map functions. These are useful practical resources, though they are descriptive rather than prescriptive.

The table below summarises the key characteristics of each framework across dimensions most relevant to AI governance decisions.

The three frameworks are not competing alternatives — they address different layers of the same governance challenge. Understanding how they layer together is essential to building a programme that is both compliant and operationally sustainable.

EU AI Act and ISO 42001 Complementary by Design

The EU AI Act specifies what outcomes must be achieved — risk management, documentation, human oversight, and conformity assessment. ISO 42001:2022 provides the management system architecture to achieve those outcomes systematically. An organisation certified to ISO 42001 will have documented risk assessment processes, impact assessment procedures, governance structures, and audit trails that directly support EU AI Act compliance demonstration.

ISO 42001 certification is not a route to automatic EU AI Act conformity, and neither the European Commission nor the European AI Office has confirmed ISO 42001 certification as a harmonised standard under the Act at the time of writing. However, the alignment between the standard's controls and the Act's obligations is substantial, and ISO 42001 is widely expected to feature in the harmonised standards that the European Commission will recognise under Article 40 of the Act.

Structure, Different Scope

The NIST AI RMF and ISO 42001:2022 have significant conceptual overlap — both use risk-based approaches, both address governance structures, impact assessment, and lifecycle management. For organisations that are already aligned to NIST AI RMF for US purposes, the migration to ISO 42001 certification is not a rebuild; it is primarily a formalisation of existing practices into an auditable management system.

NIST has published a crosswalk between the AI RMF and ISO 42001, which maps overlapping requirements. This is a useful resource for organisations trying to avoid duplication.

Where Gaps Exist

The most significant gap in the combined landscape is enforcement. ISO 42001 certification demonstrates governance intent and process quality but carries no regulatory enforcement mechanism. The NIST AI RMF has no enforcement mechanism at all outside of US federal contract requirements. Only the EU AI Act creates regulatory liability, and for high-risk AI systems with EU market exposure, ISO 42001 alignment alone is not sufficient — formal conformity assessment under the Act is required.

The right combination of frameworks depends on your organisation's AI activities, market exposure, and sector context. The following guide covers the most common scenarios.

EU AI Act: Does It Apply?

Apply EU AI Act analysis if any of the following are true:

1. Your organisation develops AI systems placed on any EU market, regardless of where your organisation is headquartered.
2. Your organisation operates AI systems in a professional context in EU member states (as a deployer).
3. Your organisation provides AI systems to clients or customers in EU member states.
4. Your organisation's AI system outputs are used in EU decision-making, even if the system itself operates outside the EU.

If the Act applies, the next question is risk tier. Most organisations will need to conduct a formal classification exercise to determine whether their AI systems fall into high-risk categories under Annex III. Legal and technical analysis is required — classification is not always obvious and the categories are defined in functional terms.

ISO 42001: When to Pursue Certification

Pursue ISO 42001:2022 certification if any of the following apply:

1. You need to demonstrate AI governance maturity to clients, procurement processes, or regulators.
2. You are subject to EU AI Act obligations and want a management system that supports ongoing compliance and audit readiness.
3. You are a supplier of AI systems or AI-enabled services and expect certification to feature in customer procurement requirements.
4. Your organisation already operates ISO 27001 or ISO 9001 management systems — integration with ISO 42001 is structurally straightforward.
   

NIST AI RMF: When to Reference It

Reference or align to NIST AI RMF if any of the following apply:

1. Your organisation operates in or supplies to US federal government.
2. Your organisation uses the NIST Cybersecurity Framework or NIST SP 800-series as part of its security governance and wants methodological consistency.
3. Your AI governance documentation needs to reference a structured risk vocabulary that is recognised internationally across multiple sectors.
4. You are building cross-jurisdictional AI governance and want a framework that maps usefully to both ISO 42001 and the EU AI Act